Re: [ossec-list] Re: Help with decoder + rules
On Friday, November 23, 2012 7:20:44 AM UTC-6, dan (ddpbsd) wrote: etc/local_decoder.xml: decoder name=zabbix prematch^Zabbix Server[\d+]: /prematch /decoder decoder name=zabbix-check-failed parentzabbix/parent regex offset=after_parentSending list of active checks to [(\S+)] (failed): host [(\S+)] not found/regex orderdstip,status,extra_data/order /decoder rules/local_rules.xml: group name=zabbix rule id=100100 level=2 decoded_aszabbix/decoded_as !-- tried also with this commented out -- descriptionZabbix server messages/description /rule /group Add a rule that does something: rule id=100101 level=1 if_sid100100/if_sid matchSending list of active checks to/match descriptionSilly./description /rule ... 1002 actually matches something (fail) more than the decoder, I think that's why it is being prioritized over a grouping rule. I tried that and it didn't work -- I ended having to add an if_sid1002/if_sid for id 100100 to get it to match. I'd prefer to short change all of the above rules, but I guess this is an acceptable -- then I'm basically checking for failed zabbix messages. On the other hand that is all I'm really checking for right now anyway. I guess I don't understand how group= works fully.
Re: [ossec-list] Re: Help with decoder + rules
On Tue, Nov 27, 2012 at 11:14 AM, Scott wa6...@gmail.com wrote: On Friday, November 23, 2012 7:20:44 AM UTC-6, dan (ddpbsd) wrote: etc/local_decoder.xml: decoder name=zabbix prematch^Zabbix Server[\d+]: /prematch /decoder decoder name=zabbix-check-failed parentzabbix/parent regex offset=after_parentSending list of active checks to [(\S+)] (failed): host [(\S+)] not found/regex orderdstip,status,extra_data/order /decoder rules/local_rules.xml: group name=zabbix rule id=100100 level=2 decoded_aszabbix/decoded_as !-- tried also with this commented out -- descriptionZabbix server messages/description /rule /group Add a rule that does something: rule id=100101 level=1 if_sid100100/if_sid matchSending list of active checks to/match descriptionSilly./description /rule ... 1002 actually matches something (fail) more than the decoder, I think that's why it is being prioritized over a grouping rule. I tried that and it didn't work -- I ended having to add an if_sid1002/if_sid for id 100100 to get it to match. I'd prefer to short change all of the above rules, but I guess this is an acceptable -- then I'm basically checking for failed zabbix messages. Oops, that's because the levels are wrong. Bump the level up above the level of 1002 and it should match. On the other hand that is all I'm really checking for right now anyway. I guess I don't understand how group= works fully. group name=something rule id=some_id level=10 match^blahblah/match descriptionStuff/description /rule /group Rule some_id is part of the something group. You can use if_groupsomething/if_group to match it, and any other alert in the something group. Quick example: group name=zabbix rule id=100100 level=4 decoded_aszabbix/decoded_as descriptionZabbix server messages/description /rule /group group name=syslog,local rule id=100101 level=2 if_groupzabbix/if_group matchSending list of active checks to/match descriptionSilly./description /rule /group This works the same way my previous example (with corrected levels) works, except we aren't checking for sid 100100, we're checking for the group zabbix. # cat /tmp/z | /var/ossec/bin/ossec-logtest 2012/11/27 11:27:00 ossec-testrule: INFO: Reading local decoder file. 2012/11/27 11:27:00 ossec-testrule: INFO: Started (pid: 26720). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: 'Nov 20 21:05:33 abc Zabbix Server[1696]: Sending list of active checks to [1.2.3.4] failed: host [abc.example.com] not found' hostname: 'abc' program_name: '(null)' log: 'Zabbix Server[1696]: Sending list of active checks to [1.2.3.4] failed: host [abc.example.com] not found' **Phase 2: Completed decoding. decoder: 'zabbix' dstip: '1.2.3.4' status: 'failed' extra_data: 'abc.example.com' **Phase 3: Completed filtering (rules). Rule id: '100101' Level: '2' Description: 'Silly.' **Alert to be generated.
Re: [ossec-list] Re: Help with decoder + rules
On Tue, Nov 20, 2012 at 5:38 PM, Scott wa6...@gmail.com wrote: I should mention this is OSSEC 2.7 On Tuesday, November 20, 2012 4:35:31 PM UTC-6, Scott wrote: Hi everyone, Sorry to be on the list so much, but I've hit another block in my understanding of ossec. What am I doing wrong here? The decoder seems to work, but the rule does not match! etc/local_decoder.xml: decoder name=zabbix prematch^Zabbix Server[\d+]: /prematch /decoder decoder name=zabbix-check-failed parentzabbix/parent regex offset=after_parentSending list of active checks to [(\S+)] (failed): host [(\S+)] not found/regex orderdstip,status,extra_data/order /decoder rules/local_rules.xml: group name=zabbix rule id=100100 level=2 decoded_aszabbix/decoded_as !-- tried also with this commented out -- descriptionZabbix server messages/description /rule /group (I've also tried with zabbix-check-failed in local_rules.xml) Running logtest: $ echo 'Nov 20 21:05:33 abc Zabbix Server[1696]: Sending list of active checks to [1.2.3.4] failed: host [abc.example.com] not found' | bin/ossec-logtest 2012/11/20 22:26:39 ossec-testrule: INFO: Reading local decoder file. 2012/11/20 22:26:39 ossec-testrule: INFO: Started (pid: 10478). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: 'Nov 20 21:05:33 abc Zabbix Server[1696]: Sending list of active checks to [1.2.3.4] failed: host [abc.example.com] not found' hostname: 'abc' program_name: '(null)' log: 'Zabbix Server[1696]: Sending list of active checks to [1.2.3.4] failed: host [abc.example.com] not found' **Phase 2: Completed decoding. decoder: 'zabbix' dstip: '1.2.3.4' status: 'failed' extra_data: 'abc.example.com' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. Add a rule that does something: rule id=100101 level=1 if_sid100100/if_sid matchSending list of active checks to/match descriptionSilly./description /rule # cat /tmp/h | /var/ossec/bin/ossec-logtest 2012/11/23 08:19:20 ossec-testrule: INFO: Reading local decoder file. 2012/11/23 08:19:20 ossec-testrule: INFO: Started (pid: 2710). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: 'Nov 20 21:05:33 abc Zabbix Server[1696]: Sending list of active checks to [1.2.3.4] failed: host [abc.example.com] not found' hostname: 'abc' program_name: '(null)' log: 'Zabbix Server[1696]: Sending list of active checks to [1.2.3.4] failed: host [abc.example.com] not found' **Phase 2: Completed decoding. decoder: 'zabbix' dstip: '1.2.3.4' status: 'failed' extra_data: 'abc.example.com' **Phase 3: Completed filtering (rules). Rule id: '100101' Level: '1' Description: 'Silly.' **Alert to be generated. 1002 actually matches something (fail) more than the decoder, I think that's why it is being prioritized over a grouping rule.
[ossec-list] Re: Help with decoder + rules
I should mention this is OSSEC 2.7 On Tuesday, November 20, 2012 4:35:31 PM UTC-6, Scott wrote: Hi everyone, Sorry to be on the list so much, but I've hit another block in my understanding of ossec. What am I doing wrong here? The decoder seems to work, but the rule does not match! etc/local_decoder.xml: decoder name=zabbix prematch^Zabbix Server[\d+]: /prematch /decoder decoder name=zabbix-check-failed parentzabbix/parent regex offset=after_parentSending list of active checks to [(\S+)] (failed): host [(\S+)] not found/regex orderdstip,status,extra_data/order /decoder rules/local_rules.xml: group name=zabbix rule id=100100 level=2 decoded_aszabbix/decoded_as !-- tried also with this commented out -- descriptionZabbix server messages/description /rule /group (I've also tried with zabbix-check-failed in local_rules.xml) Running logtest: $ echo 'Nov 20 21:05:33 abc Zabbix Server[1696]: Sending list of active checks to [1.2.3.4] failed: host [abc.example.com] not found' | bin/ossec-logtest 2012/11/20 22:26:39 ossec-testrule: INFO: Reading local decoder file. 2012/11/20 22:26:39 ossec-testrule: INFO: Started (pid: 10478). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: 'Nov 20 21:05:33 abc Zabbix Server[1696]: Sending list of active checks to [1.2.3.4] failed: host [abc.example.com] not found' hostname: 'abc' program_name: '(null)' log: 'Zabbix Server[1696]: Sending list of active checks to [1.2.3.4] failed: host [abc.example.com] not found' **Phase 2: Completed decoding. decoder: 'zabbix' dstip: '1.2.3.4' status: 'failed' extra_data: 'abc.example.com' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated.
